Kubernetes Network Policy
Last Updated :
24 Sep, 2024
Kubernetes is a well-known tool to build applications quite easily manageable and deployable anywhere. As a managed service, Kubernetes offers various options that will suit your needs. Kubernetes incorporates several commands that reduce the overhead of many time-consuming aspects of application management with which you can automate routine tasks.
What Is Kubernetes Network Policy?
Kubernetes Network Policies provides you with set rules for how data moves in your cluster and between Pods and the outside. Your cluster needs a network plugin that works with Network Policy. To control data flow based on IP addresses or ports for TCP, UDP, and SCTP, you should consider using Kubernetes Network Policies for some apps in your cluster. Every Network Policy you make focuses on a group of Pods and decides which external connections they can send and receive.
How Do Kubernetes Network Policies Work?
- Network Policies can provide a separate set of allowable targets for their Ingress and Egress rules, It is also possible to use Network Policies to disable all network connections for a Pod or to limit traffic to a certain port range.
- Network Policies are additive, thus you can have many policies targeting the same Pod.
- In the OSI networking paradigm, Network Policies are layer 3/4 controls. They use IP addresses and port numbers at the network transport level.
- Network Policies aren't a comprehensive answer. The present version has significant limitations, including the inability to report network policy block events and the absence of support for explicit reject policy.
How Are Network Policies Implemented?
- The CNI networking plugin you use in your cluster is responsible for applying Network Policies.
- Your rules need to work well with how your plugin uses these policies.
- Cloud companies that provide managed Kubernetes services will automatically turn on support. If you are managing your cluster, make sure you are using a compatible CNI plugin..
Step-By-Step Guide To Creating A Network Policy In Kubernetes
Step 1: Create a Namespace
- First, For better isolation, you can establish a different namespace and apply a Network Policy to it.
kubectl create namespace my-app
Output:
Step 2: Define the Pods to Protect
- Labels will allow Pods to be defined in the following phase.
kubectl label pod <pod-name> app=my-app -n my-app
Output:
Step 3: Make a Network Policy YAML
- Next, Your Network Policy will be created in a YAML file that you will generate.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-specified
namespace: my-app
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: allowed-app
egress:
- to:
- podSelector:
matchLabels:
app: external-app
ports:
- protocol: TCP
port: 8080
Step 4: Apply the Network Policy
- To apply the network policy, you need to run the command below and confirm the outcomes.
kubectl apply -f network-policy.yaml
Output:
Step 5: Verify the Policy
- Next, you need to verify the Network Policy's proper application.
kubectl get networkpolicy -n my-app
Output:
Step 6: Test the Policy
- Lastly, You must test this to communicate with the pod from tried and denied pods and make sure the policy is constructive or not. To run commands inside of pods, use the unelevated command.
kubectl exec <allowed-pod> -- curl <target-pod-ip>:8080
Output:
Use Cases Of Kubernetes Network Policies
- It is important to protect traffic in our groups of pods. By default, all pods can talk to each other freely.
- The Network Policy tool helps us control the traffic going in and out of pods.
- We can make sure that our frontend pods can only connect to the backend application, preventing an attacker from having direct access to the database or other pods if they breach the frontend.
- Firewalls, either software or hardware, are often used to control traffic in networks.
Best Practices for Kubernetes Network Policies
- Use Labels for Fine-Grained Control: Kubernetes network policies use labels to determine which pods they apply to. To regulate a collection of pods, identify them using consistent, relevant labels, and then apply policies based on these labels.
- Control External Access: You are able to apply restrictions in the access of pods externally with services that are outside a cluster. This is achieved through the definition of network policies that reduce egress to particular IP addresses, CIDRs, or domain names using an egress proxy or firewall.
- Network Traffic: Observe all policy rules and network traffic by using tools that support logging capabilities such as Cilium, network plugins, or Kubectl logs. See audit logs on a periodic basis for anomalies or security issues.
- Apply Policies Incrementally: Do not abruptly interrupt the network. Apply the network policies in stages. First, use policies that monitor - log the traffic instead of blocking it. In this way, one will be able to analyze tendencies in the traffic.
Conclusion
Kubernetes Network Policies are an essential tool for securing traffic within your cluster, giving you control over how Pods communicate with each other and external resources. By implementing well-designed network policies, you can safeguard your applications from unwanted traffic, prevent lateral movement in case of a breach, and ensure smoother traffic management. Start leveraging Network Policies to enhance security and optimize network performance in your Kubernetes deployments.
Similar Reads
kubernetes Network Policlies
Everyone agrees that Kubernetes clusters are insecure by default. But the good news is that Kubernetes provides the tools to make that happen. In this article, we’re going to learn about one of the resources that K8s provides straight out of the box to help make your deployed apps more secure: Netwo
11 min read
How To Use Kubernetes Network Policies?
Kubernetes is the kind of container-centric management software used for the deployment and operation of cont energized applications. It was originally developed by google clouds. It improves your reliability and reduces the time, workload and provides developers resources attributes to daily operat
5 min read
Kubernetes Policies
Pre-requisite: Kubernetes In this article, we will be discussing Kubernetes policies, a key feature in the Kubernetes platform that allows administrators to enforce rules and restrictions on the use and management of resources within a cluster. We will cover the basics of Kubernetes policies, includ
4 min read
Kubernetes - Monitoring
Kubernetes is an open-source container orchestration system that allows developers to deploy and manage containerized applications at scale. One important aspect of running applications in Kubernetes is monitoring their performance and availability. In this article, we will explore some of the best
11 min read
Kubernetes - NodePort Service
NodePort service in Kubernetes is a service that is used to expose the application to the internet from where the end-users can access it. If you create a NodePort Service Kubernetes will assign the port within the range of (30000-32767). The application can be accessed by end-users using the node's
5 min read
Kubernetes - Services
Software deployment, scaling, and management are all automated using Kubernetes, an open-source container orchestration system. K8s is another name for Kubernetes. Kubernetes was initially developed by Google and is now managed by the Cloud Native Computing Foundation. Despite the fact that it now s
3 min read
Kubernetes Tutorial
Kubernetes is an open-source container management platform that automates the deployment, management, and scaling of container-based applications in different kinds of environments like physical, virtual, and cloud-native computing foundations. In this Kubernetes Tutorial, you are going to learn all
8 min read
Kubernetes - Node
Kubernetes Nodes are the Worker or master machines where the actual work happens. Each Kubernetes node has the services required to execute Pods and is controlled by the Control Plane. Each Kubernetes Node can have multiple pods and pods have containers running inside them. 3 processes in every Node
13 min read
Kubernetes - Namespaces
Kubernetes Namespace is a mechanism that enables you to organize resources. It is like a virtual cluster inside the cluster. A namespace isolates the resources from the resources of other namespaces. For example, You need to have different names for deployments/services in a namespace but you can ha
9 min read
Kubernetes - Service DNS
An open-source container orchestration system called Kubernetes is primarily employed for the automated deployment, scaling, and management of software. Another name for Kubernetes is K8s. Initially created by Google, Kubernetes is currently maintained by the Cloud Native Computing Foundation. Altho
11 min read